KUALA LUMPUR, Jan 31 — Universiti Teknologi Mara (UiTM) has been given up to February 4 to improve security on its seven portals if it wants to avoid the threat of a daily massive leak of its students’ data, The Star reported today.
Claiming to be a UiTM student, an anonymous person who was identified in the news report by the initials “AA” posted the ultimatum to UiTM on January 29 on the text storage website Pastebin.
According to the local daily, AA threatened to post the records of 100,000 UiTM students each day on Facebook, Twitter, Instagram, Whatsapp, Telegram and Pastebin, if the university fails to implement two online security protocols known as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) by the deadline given.
SSL and TLS, which are used to encrypt communication between a user’s browser and a website which then ensures privacy and data integrity, are used for the Hypertext Transfer Protocol Secure (HTTPS) which keeps online communication secure especially for online banking and online shopping transactions.
“It would take a basic idiot one day to implement this security measure across all the sites,” AA was quoted saying.
The seven portals listed by AA are iSTUDENT Portal System, iLearn V3 Login, Electronic Question Paper System, Portal I-Staf, PRISMa, iRMIs and UiTM Consultancy Unit.
AA claimed to have the complete set of leaked student records, which previously was reported to involve the personal details of 1,164,540 UiTM students and alumni that were registered in UiTM from 2000 to 2018.
The details include their names, MyKad numbers, house addresses, email addresses, mobile numbers, campus names and student IDs.
AA told The Star that not all UiTM students care about the online data leak until they personally see their own details out in the open, also alleging that UiTM staff similarly appeared to not care about the online vulnerabilities.
AA claimed to have asked UiTM staff “multiple times” to ensure the use of SSL/TLS protocols or HTTPS for the university’s websites, particularly when it involved login or registration forms.
AA, who declined to reveal his or her status as a current student or alumnus, claimed to be aware of the security weaknesses in UiTM portals since 2013 with the allegation that the security measures were missing since the systems went online.
“Anyone can visit the portals and see that those pages do not have HTTPS, therefore anyone could steal potentially sensitive information,” AA was quoted saying.
AA also claimed to have asked UiTM repeatedly to issue a press statement confirming a data breach and data leak.
“Only after I tipped off Lowyat.net and news broke out that the university bothered to release a statement,” AA claimed, referring to portal Lowyat.net’s January 25 report of the leaked records of 1.16 million current and former UiTM students.
According to The Star, a UiTM spokesman said the university was looking into AA’s demand.
Yesterday, UiTM vice-chancellor Prof Datuk Hassan Said in a press statement on UiTM’s Facebook said that the university had received information about the sale of its students and alumni’s data in the Dark Web in November 2018.
Hassan said UiTM had then immediately lodged a police report at the Shah Alam district police headquarters, adding that police investigations are still ongoing.
Hassan said UiTM had since November 2018 worked with the National Cyber Security Agency (Nacsa), the National Security Council, the Malaysian Communications and Multimedia Commission, the Malaysian Computer Emergency Response Team (MyCERT) to conduct an investigation and analyse UiTM’s system’s integrity.
“As of today, the preliminary findings of NACSA are that there are no suspicious activities tending towards the occurence of data leak,” he said, adding that Nacsa was still probing based on the latest information.
Among other things, Hassan said UiTM is currently carrying out improvements to its procedures and operations to ensure that its network, programmes and data are protected from any attacks or unauthorised access.
The Star said Hassan had previously denied Lowyat.net’s report of data breach, with him asserting that the screencaps of the alleged leaked data did not match the format of UiTM’s internal systems.
